Feedback-Driven Malware Detector

1. A computer-implemented method to determine whether an application program contains malware, comprising: employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts: monitoring an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants; determining whether the application program is scheduled to be installed and added to the extensibility point; informing the user that the application program is scheduled to be installed and added to the extensibility point; sending one or more portions of information regarding the application program that is scheduled to be installed and added to the extensibility point to a remote computer, wherein the remote computer is a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants; receiving from a remote computer aggregated application program information indicating the number of other malware prevention service participants who previously allowed and declined the application to be installed; displaying to the user the number of malware prevention service participants that allowed installation of the application program and the number of malware prevention service participants that declined installation of the application program; obtaining decision input from the user regarding whether the application program should be installed, where the user's decision is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program; and transmitting a set of data that includes the input obtained from the user to a remote computer, wherein the set of data includes: a signature of an object that is scheduled to be executed when the application program is added to the extensibility point; metadata that describes attributes of the object; and run-time attributes that identify the state of the computer.

2. The method of claim 1 , further comprising: if the input obtained from the user indicates that the application program should not be installed, preventing the application program from being installed on the computer; and if the input obtained from the user indicates that the application program should be installed, allowing the application program to be installed on the computer.

3. The method claim 1 , wherein informing the user that the application program is scheduled to be installed and added to the extensibility point includes generating a signature of an object that will be automatically executed if the application program is added to the extensibility point.

4. The method of claim 3 , wherein the object from which the signature is generated is added to the program code from a file.

5. The method of claim 3 , further comprising: comparing the signature to signatures generated from objects that are known to be associated with malware; and if the signature matches a signature that is known to be associated with malware, informing the user that the application program is malware.

6. The method of claim 1 , wherein the signature is generated using a hashing algorithm.

7. The method of claim 1 , wherein transmitting a set of data that includes the input obtained from the user includes satisfying requests for additional data; and wherein the additional data include program code that implements the application program.

8. A computer-implemented method of determining whether an application program is malware, comprising: employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts: receiving a set of data at a remote computer system when an application program is scheduled to be installed and added to an extensibility point on a remote computer, the data set being received from a computer system that is monitored for changes to an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants, the remote computer being a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants, wherein the data set includes: a signature of an object that is scheduled to be executed when the application program is added to the extensibility point; metadata that describes attributes of the object; and run-time attributes that identify the state of the computer; aggregating data that was obtained from a plurality of malware prevention service participants at remote computers including a plurality of indicators regarding whether malware prevention service participants allowed or did not allow the application program to be installed on their respective remote computers; and performing an analysis of the aggregated data to determine whether the application program is malware, wherein the analysis is based upon the aggregated application data indicating whether other malware prevention service participants allowed or declined installation of the application program.

9. The method of claim 8 , further comprising: generating a signature from the set of data; if the analysis indicates that the application program is malware, causing the signature to be added to a list of signatures of known malware that is distributed to the plurality of remote computers; and if the analysis reveals that the application program is benevolent, causing the signature to be added to a list of signatures associated with benevolent application programs that is distributed to the plurality of remote computers.

10. The method of claim 8 , wherein aggregating together the data that was obtained from the plurality of remote computers includes using a database application to create a view that identifies the number of users who allowed or did not allow the application program to be installed on their computer(s).

11. The method of claim 8 , wherein performing an analysis of the aggregated data to determine whether the application program is malware is performed without reverse engineering program code that implements the application program.

12. The method of claim 8 , wherein performing an analysis of the aggregated data to determine whether the application program is malware includes re-creating the run-time attributes of a computer in a laboratory setting and observing the functions performed by the application program.

13. A computer-implemented system for determining whether an application program is malware, comprising: a processor; a computer readable storage medium operationally coupled to the processor and storing computer executable instructions, the computer executable instructions, when executed by the processor, implement components comprising: a reporting module that causes a set of data to be transmitted to the backend server when the application program is scheduled to be added to an extensibility point on the client computer including an indication regarding whether a user of the client computer allowed or did not allow the application program to be installed, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants, wherein the set of data includes: a signature of an object that is scheduled to be executed when the application program is added to the extensibility point; metadata that describes attributes of the object; and run-time attributes that identify the state of the computer; an analysis module that is operative to receive the set of data generated by the reporting module and use the data to determine whether the application program is malware; and a database application that aggregates the set of data generated by the reporting module together with data previously received from other computers in the computer networking environment whose users are participants of the malware prevention service, the previously received data includes the number of malware prevention service participants who allowed and did not allow the application program to be installed on their computer, wherein the database application is a trusted entity that is trusted by the malware prevention service participants and wherein the determination as to whether the application program is malware is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program.

14. The system of claim 13 , further comprising a backend database that is operative to store the set of data transmitted to the backend server; and wherein the database application is further configured to aggregate a view of the data in the backend server that calculates the number of users who allowed or did not allow the application program to be installed on their computer.

15. The system of claim 13 , further comprising a signature database operative to store: a list of signatures generated from known malware; and a list of signatures generated from known benevolent application programs.

16. The system of claim 15 , wherein the signature database is updated with signatures generated from application programs that are being installed in the computer networking environment.

17. The system of claim 15 , wherein the reporting module is further configured to compare a signature generated from the application program to signatures stored in the signature database.